NEWS AT SEI
This article was originally published in News at SEI on: April 1, 2005
SEI work in computer forensics to help organizations prepare for legal and technical ramifications of computer security incidents.
The Carnegie Mellon Software Engineering Institute and CERT will begin offering a new training course, Computer Forensics for Technical Staff, in January 2006.
The use of the term computer forensics and its practice is a recent development in the larger field of computer incident response. The field received governmental funding and recognition when CERT was created in response to the November 1988 “Morris” worm incident, which disabled 10% of the systems connected to the Internet. The Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents.
Since that time, organizations have focused on many aspects of computer security, from preventing such incidents from happening in the first place, to “hardening” systems and analyzing product vulnerabilities. CERT has taken a leading role in these efforts, working to ensure that appropriate technology and systems-management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of successful attacks, accidents, or failures. The goal of this work is to enhance the survivability of computer networks.
The next step in this evolution is an increasingly intense focus on aspects of computer forensics. US-CERT, the operational arm of the National Cyber Security Division at the Department of Homeland Security, defines this term as “the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law” [US-CERT 05].
The SEI recognizes that adding the ability to practice sound computer forensics will help network administrators, computer security staff, and corporate officials ensure the overall integrity and survivability of their networks’ infrastructures. For instance, understanding the legal and technical aspects of computer forensics will help organizations capture vital information if a network is compromised and will help prosecution of the case if the intruder is caught. If computer forensics are ignored or practiced badly, organizations risk destroying vital evidence or having forensic evidence ruled inadmissible in court.
The main technical goal of computer forensics is to identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case. Those who investigate computers must first understand the kind of potential evidence they are looking for in order to structure their search. Second, the investigator must pick the appropriate tools to use. Files may have been deleted, damaged, or encrypted, and the investigator must be familiar with an array of methods and software to prevent further damage in the recovery process.
System administrators and security personnel must also have a basic understanding of how routine computer and network administrative tasks can affect both the forensic process—the potential admissibility of evidence in court—and the subsequent ability to recover data that may be critical to the identification and analysis of a security incident. Finally, anyone overseeing network security must be aware of the legal implications of forensic activity, and security professionals must consider their policy decisions and technical actions in the context of existing laws.
The SEI has researched best practices and evaluated current information on the subject, and is now working to disseminate both the technical and legal knowledge needed to help organizations learn computer forensics principles and practices. Richard Nolan and other CERT professionals have collaborated to produce the First Responders Guide to Computer Forensics, an extensive guide for those who wish to learn more about this burgeoning field [Nolan 05].
This handbook targets a critical training gap in information security, computer forensics, and incident response: performing basic forensic data collection. The focus is on providing system and network administrators with methodologies, tools, and procedures for applying fundamental computer forensics when collecting data on both a live and a powered-off machine. The handbook should help first responders:
- understand the essential laws that govern their actions
- understand key data types residing on live machines
- evaluate and create a trusted set of tools for the collection of data
- collect, preserve, and protect data from live and shut-down machines
- learn methodologies for collecting information that are forensically sound (i.e., able to withstand the scrutiny of the courts)
There are four modules in the handbook. The first describes cyberlaws and their impact on incident response. The second builds understanding of file systems and outlines a best practice methodology for creating a trusted first responder tool kit for investigating potential incidents. The third reviews some best practices, techniques, and tools for collecting volatile data from live Windows and Linux systems and explains the importance of collecting volatile data before it is lost or changed. The final module reviews techniques for capturing persistent data in a forensically sound manner and describes the location of common persistent data types.
The Computer Forensics for Technical Staff training course expands on the information in that document. Technical staff who administer and secure information systems and networks will learn more about U.S. cyberlaws and how they affect information security, building and testing safe tool sets, collecting volatile data, and collecting persistent data. Students will have an opportunity to use Helix, Knoppix-STD, Sleuth Kit/Autopsy, dd, PsTools, and many other forensics tools during class. A final scenario puts students into teams and directs them to determine the nature and extent of a suspicious intrusion-detection system alert within a running networked environment. In addition, the team is directed to collect relevant host and network information for an internal investigation of a questionable email that was forwarded by a “concerned employee.”
The first public offering of the Computer Forensics for Technical Staff course will take place January 31–February 2, 2006. To register and to obtain more information, visit the SEI's training pages.
Nolan, Richard; O'Sullivan, Colin; Branson, Jake; & Waits, Cal. First Responders Guide to Computer Forensics (CMU/SEI-2005-HB-001). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2005
US-CERT. Computer Forensics (2005).